A Comparison of Time-Memory Trade-Off Attacks on Stream Ciphers

Contains fulltext : 117176.pdf (preprint version ) (Open Access

Invertibility of multiple random functions and its application to symmetric ciphers

The invertibility of a random function (IRF, in short) is an important problem and has wide applications in cryptography. For ex- ample, searching a preimage of Hash functions, recovering a key of block ciphers under the known-plaintext-attack model, solving discrete loga- rithms over a prime field with large prime, and so on, can be viewed as its instances. In this work we describe the invertibility of multiple random functions (IMRF, in short), which is a generalization of the IRF. In order to solve the IMRF, we generalize the birthday theorem. Based on the generalized birthday theorem and time-memory tradeoff (TMTO, in short) method, we present an efficient TMTO method of solving an IMRF, which can be viewed as a generalization of three main TMTO attacks, that is, Hellman’s attack, Biryukov and Shamir’s attack with BSW sampling, and Biryukov, Mukhopadhyay and Sarkar’s time- memory-key tradeoff attack. Our method is highly parallel and suitable for distributed computing environments. As a generalization of Hellman’s attack, our method overcomes its shortcoming of using only one pair of known plaintext and ciphertext and first admits more than one datum in a TMTO on block ciphers at the single key scenario. As a generaliza- tion of Biryukov and Shamir’s attack with BSW sampling, our method overcomes its shortcoming of using only a few data with specific prefix in stream ciphers and can utilize all data without any waste. As appli- cations, we get two new tradeoff curves: N2 = TM2D3, N = PD and D=τforblockciphers,andN2 =τ3TM2D2,N=τPDandD≥τ for stream ciphers, where τ is the number of random functions, that is, the number of independent computing units available to an attacker, N is the size of key space (for block ciphers) or state (for stream ci- phers) space, D the number of data captured by the attacker, and T, M, P the time/memory/precomputation cost consumed at each computing unit respectively. As examples, assume that 4096 computing units can be available for the attacker. Denote by 5-tuple (τ, T, M, D, P ) the costof our method. Then the cost of breaking DES, AES-128 and A5/1 is (212, 225.3, 225.3, 212, 244), (212, 273.3, 273.3, 212, 2116) and (212, 222.7, 217.3,217.3, 234.7) respectivel

중복제거 테이블을 이용한 특이점 절충기법과 그의 병렬처리에 대한 분석

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2016. 2. 홍진.In a recent paper, the performances of three major time memory tradeoff algorithms, namely, the classical Hellman tradeoff and the non-perfect table versions of the distinguished point(DP) and the rainbow table tradeoff methods, were analyzed and compared against each other. The analysis was accurate in the sense that the extra costs of resolving false alarms were not ignored, and the performance comparison was fair in the sense that both the online complexity and the pre-computation cost were taken into account and the techniques for optimizing storage size were taken into account. Based on this paper, another recent paper analyzed a DP variant, which treats the non-perfect DP tables in parallel, and compared its performance with those of the previous three tradeoff algorithms. In this thesis, we analyze the performances of three more tradeoff algorithms and compare them with the aforementioned four algorithms. The algorithms newly considered here will be the perfect table versions of the DP, rainbow table, and parallel DP tradeoff methods. The performance of an algorithm cannot be represented by a single numeric value and algorithm preferences will depend on the available resources and various situations faced by the tradeoff algorithm implementer. Hence, we will present the performances of the tradeoff algorithms as curves providing the full range of options made available by the algorithms, so as to allow for the implementers to make their choices. However, our comparisons show that, under typical situations, the perfect table parallel DP tradeoff algorithm is more likely to be preferable over the other DP algorithm variants and that the perfect rainbow table method is superior to the other tradeoff algorithms. On the other hand, yet another recent paper notes that the perfect rainbow table method is widely implemented in practice to process its pre-computation tables in a serial manner, rather than in parallel, as was originally proposed by the algorithm designers. This is because, even though the parallel treatment of the pre-computation tables would be more efficient in theory, the size of tables are too large to be fully loaded into fast main memory in real-world applications such as password recovery and this affects the real-world performances of the algorithms negatively. Following the approach of the paper, we give the optimal physical wall-clock online execution times for the practically used serial perfect rainbow and the perfect table versions of the DP and rainbow tradeoffs that treat their pre-computation tables in parallel. This is done with various realistic password spaces and at various high success rate requirements, under a specific limitation on the size of available storage. Unlike any theoretical approach to the tradeoff algorithms, the physical online execution time includes the time taken for loading the pre-computation tables from disk to fast memory and the time taken by table lookups. We find that, in contrast with the software developers' intuition, the serial perfect rainbow tradeoff algorithm is inferior to the two algorithms that treat their tables in parallel, when their optimal physical online times are compared under reasonable assumptions and settings. Our simplified conclusions are that, for the larger of the two search spaces we dealt with, the parallel version of the perfect rainbow table method gives the shortest wall-clock online time, and that, for the smaller search space, when restricted to the same amount of pre-computation, the perfect parallel DP tradeoff is faster than the other algorithms.Chapter 1 Introduction 1 Chapter 2 Preliminaries 7 2.1 Algorithm Clarification, Terminology, and Notation 7 2.1.1 Four Versions of the DP Tradeoff 8 2.1.2 Non-perfect and Perfect Rainbow Tradeoffs pR, p¯R 19 2.1.3 Perfect Rainbow Tradeoff, Used in Practice s¯R 25 2.1.4 Other Conventions and Comments 27 2.2 Storage Optimization Techniques 28 2.3 Previous Results 29 2.3.1 Analyses of the Original DP and Parallel DP Tradeoffs 30 2.3.2 Analysis of the Non-perfect Rainbow Tradeoff 31 Chapter 3 Perfect Table Tradeoff Algorithms 33 3.1 Analysis of the Perfect DP Tradeoff 33 3.1.1 Online Efficiency 33 3.1.2 Storage Optimization 46 3.1.3 Experiment Results 50 3.2 Analysis of the Perfect Rainbow Tradeoff 56 3.2.1 Online Efficiency 56 3.2.2 Storage Optimization 60 Chapter 4 Perfect Parallel DP Tradeoff 65 4.1 Online Efficiency 65 4.2 Storage Optimization 72 4.3 Experiment Results 75 Chapter 5 Comparisons Focused on Theoretical Complexities 85 5.1 Method of Comparison 86 5.2 Comparison of DP Variants 88 5.3 p¯D vs. Rainbow 92 Chapter 6 Practice-Oriented Comparison 100 6.1 Additional Costs for the p¯D and p¯R Tradeoffs 102 6.2 Analysis of the s¯R Tradeoff 103 6.3 Expressions for the Physical Online Time 104 6.4 How to Minimize the Physical Online Time 106 6.5 Comparisons 107 Chapter 7 Conclusion 116 Bibliography 119 Appendix A Practical System Constants τF, τL, and τH 123 A.1 tF 123 A.2 tL 125 A.3 tH 126 Abstract (in Korean) 129Docto